notice
Invited Speaker Seminar - CVE-2022-23491, or Why PO Boxes Can't Be Root Certificate Authorities Anymore
Date: Friday, October 27th, 2023 at 11 a.m.
Location: EV 3.309
Abstract
Mozilla curates a set of root certificate authorities to validate hostnames for TLS in the Firefox browser. Many other software projects, such as Tor Browser and ca-certificates simply follow Mozilla's list; other entities, such as Apple and Microsoft, make their own decisions for inclusion with considerations for Mozilla's decisions and the associated public discussion.
In March 2023, Mozilla introduced a set of new considerations when deciding on inclusions and removals to their authorities list. Among these are being closely tied through ownership or operation to a spyware operation, having as its address a P.O. box or being a shell corporation, being audited by an auditor that does not audit any other certificate authorities, and not being transparent on matters such as legal domicile and control.
In this talk, we'll discuss our research into a root certificate authority and the associated disclosure that lead to Mozilla distrusting it and Github assigning CVE-2022-23491. This was despite no evidence of any mis-issued certificates or wrongdoing tied to its certificate authority operations. This removal was soon after followed by Mozilla producing their new set of root inclusion considerations, some of which are directly relevant to our disclosure.
Biography:
Dr. Joel Reardon is an associate professor at the University of Calgary, researching mobile security and privacy issues and data collection conducted through those devices. He received his Bachelor's and Master's degrees at the University of Waterloo and his Doctor of Sciences at ETH Zurich. His research has been covered by CBC, the BBC, The Washington Post, and The Wall Street Journal, among other places. His research has received the Emilio Aced Research and Personal Data Protection Award, the CNIL - Inria Data Protection Award, and the Caspar Bowden Award for Outstanding Research in Privacy Enhancing Technologies.